I, uh, accidentally turned registry.yarnpkg.com into a teapot. Sorry Yarn users! I really didn’t mean to <3
Some background: this last summer we were busily switching CDNs to Cloudflare. Cloudflare has rules restricting where requests can be made – one account on Cloudflare cannot configure internal redirects to another Cloudflare account’s domain. We were unaware of this rule at the time — it didn’t occur to us at the time to check where
registry.yarnpkg.com was hosted (It turns out: it’s hosted on Cloudflare and internally redirects to
registry.npmjs.org. You might see where this is heading.)
So, we flip the switch to migrate on a Friday afternoon – a low-traffic time for us. After flipping the switch,
registry.yarnpkg.com became unusable due to the security restrictions. Cloudflare was super helpful in fixing the bug, which involved allowing the Yarn Cloudflare account to talk to the npm Cloudflare account’s domains. However, Cloudflare advised us to restrict the incoming domains that we allow requests from via the
In our Cloudflare worker, I add an allow-list that checks the incoming
Host header against a list of allowed hosts. Easy-peasy. Somewhat cheekily, I added a
418 I'm a Teapot response for any
Host not explicitly allowed (anything that’s not
registry.yargpkg.com, for example). I mean, no one’s ever going to see this, right?
Host headers from
registry.yarnpkg.com contained port numbers (
registry.yarnpkg.com:443), and thus we went from “The yarn registry url doesn’t work” to “The yarn registry now claims to be a teapot.” Cough.